add age.secrets.*.{action,service}

represents an action to perform or systemd service to restart when the
secret changes
This commit is contained in:
Taeer Bar-Yam 2021-12-29 12:25:41 -05:00
parent 7e5e58b98c
commit cd108c08e8

View file

@ -96,6 +96,17 @@ let
Group of the decrypted secret. Group of the decrypted secret.
''; '';
}; };
action = mkOption {
type = types.str;
default = "";
description = "A script to run when secret is updated.";
};
service = mkOption {
type = types.str;
default = "";
description = "The systemd service that uses this secret. Will be restarted when the secret changes.";
example = "wireguard-wg0";
};
symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; }; symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
}; };
}); });
@ -215,6 +226,41 @@ in
"agenixChownKeys" "agenixChownKeys"
]; ];
}; };
# services that watch for file changes and exectue the configured action
systemd.services = lib.mkMerge
(lib.mapAttrsToList
(name: {action, service, file, path, mode, owner, group, ...}:
let
fileHash = builtins.hashString "sha256" (builtins.readFile file);
restartTriggers = [ fileHash path mode owner group ];
in
lib.mkMerge [
(lib.mkIf (service != "") {
${service} = { inherit restartTriggers; };
})
(lib.mkIf (action != "") {
"agenix-${name}-action" = {
inherit restartTriggers;
# We execute the action on reload so that it doesn't happen at
# startup. The only disadvantage is that it won't trigger the
# first time the service is created.
reload = action;
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = " "; # it complains if we only set ExecReload
# Give it a reason for starting
wantedBy = [ "multi-user.target" ];
};
})]) cfg.secrets);
}; };
} }